summaryrefslogtreecommitdiffstats
path: root/tv
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-07-03 21:14:07 +0200
committertv <tv@krebsco.de>2016-07-03 21:14:07 +0200
commitb9531aec2e051913c04935f97bdff85aef4e7dbf (patch)
treedd52d1446be20fa00f88cfcc77b968d4db3f4d15 /tv
parent8f4742f184b7865bf3a29640d9a7cd480ad517d0 (diff)
cd nginx: enable https
Diffstat (limited to 'tv')
-rw-r--r--tv/1systems/cd.nix52
1 files changed, 41 insertions, 11 deletions
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index a46edb4..75c1900 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -44,20 +44,50 @@ with config.krebs.lib;
"cgit.cd.viljetic.de"
];
# TODO make public_html also available to cd, cd.retiolum (AKA default)
- krebs.nginx.servers.public_html = {
- server-names = singleton "cd.viljetic.de";
- locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
- alias /home/$1/public_html$2;
- '');
+ krebs.nginx.servers."https://viljetic.de" = {
+ server-names = singleton "viljetic.de";
+ listen = mkForce []; # disable default
+ ssl = {
+ enable = true;
+ certificate = "/var/lib/acme/viljetic.de/fullchain.pem";
+ certificate_key = "/var/lib/acme/viljetic.de/key.pem";
+ };
+ locations = [
+ (nameValuePair "/" ''
+ root ${pkgs.viljetic-pages};
+ '')
+ (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+ alias /home/$1/public_html$2;
+ '')
+ ];
};
- krebs.nginx.servers.viljetic = {
+ krebs.nginx.servers."http://viljetic.de" = {
server-names = singleton "viljetic.de";
- # TODO directly set root (instead via location)
- locations = singleton (nameValuePair "/" ''
- root ${pkgs.viljetic-pages};
- '');
+ locations = [
+ (nameValuePair "/.well-known/acme-challenge/" ''
+ root /var/lib/acme/challenges/viljetic.de/;
+ '')
+ (nameValuePair "/" ''
+ return 301 https://viljetic.de$request_uri;
+ '')
+ ];
+ };
+ security.acme = {
+ certs."viljetic.de" = {
+ email = "tomislav@viljetic.de";
+ webroot = "/var/lib/acme/challenges/viljetic.de";
+ plugins = [
+ "account_key.json"
+ "key.pem"
+ "fullchain.pem"
+ ];
+ user = "nginx";
+ };
};
- tv.iptables.input-internet-accept-tcp = singleton "http";
+ tv.iptables.input-internet-accept-tcp = [
+ "http"
+ "https"
+ ];
}
];